MFA reset policy
Resetting MFA
A committer may need to reset their multi-factor authentication (MFA) if they lose access to their MFA devices or believe their MFA has been compromised.
There are two paths to recovery if you have lost your MFA token(s):
-
Self-service with a recovery code established during initial MFA setup.
- Visit https://mfa.apache.org and use a recovery token by clicking "Select another authentication method."
-
Identity validation by Infra. Have someone from your PMC or Department open an Infra Jira ticket, or email security@infra.apache.org. Infra will validate identity against factors that you previously registered with the ASF.
To keep this process low-friction, we strongly encourage committers to register multiple factors in advance:
- Save the recovery codes provided during MFA setup.
- Upload a valid GPG public key to id.apache.org.
- Link their ASF and GitHub accounts via Boxer.
If a committer cannot establish their identity through any of their registered factors, the affected account will be disabled, and the person will need to work with their project to be onboarded again through the usual new-committer process.
Operational details of the reset procedure are maintained on the ASF Infra Cwiki. (Committer authentication required.)
Copyright 2026, The Apache Software Foundation, Licensed under the Apache License, Version 2.0.
Apache® and the Apache logo are trademarks of The Apache Software Foundation.